EU AI Act: Implications for UK Companies

Written By Sade Rotibi


Introduction

The EU AI Act, officially published on 12 July 2024, introduces a comprehensive framework for regulating artificial intelligence across the European Union. This legislation establishes harmonised rules for AI system deployment, operation, and monitoring through a risk-based approach. High-risk AI systems face stringent obligations, while systems posing unacceptable risks are prohibited entirely.


Regulatory Approach: EU vs UK

The EU and UK have adopted fundamentally different approaches to AI regulation. The EU's framework is prescriptive and centralised, regulating AI across all lifecycle stages and sectors through a risk categorisation system. In contrast, the UK utilises existing regulators and emphasises sector-specific expertise, implementing a principles-based framework focused on regulating AI use rather than the technology itself.

The EU establishes a coordinated network involving new and established regulators, a central European AI Board, and national competent authorities in each Member State. Non-compliance penalties can reach €30m or 6% of global annual turnover. The UK has not proposed comparable penalties under its current regulatory proposals.

The EU is also advancing AI liability frameworks through the proposed EU AI Liability Directive, which aims to harmonise national liability rules and ease the burden of proof for AI-related damages. The UK is still exploring effective approaches to liability within the AI lifecycle and supply chain.


Key Changes Affecting UK Businesses


  • Risk Categorisation System

The Act categorises AI systems from unacceptable risk (banned) to high-risk (stringent obligations required). UK businesses developing or deploying AI systems in the EU must assess and categorise their technologies, potentially increasing compliance costs and requiring operational adjustments.

  • Central Regulatory Oversight

The establishment of the European AI Board and national competent authorities creates centralised regulatory oversight. UK businesses may need to engage with multiple regulatory bodies and adhere to centralised standards, increasing compliance complexity.

  • Stakeholder Obligations

The Act imposes specific obligations on providers, manufacturers, and distributors throughout the AI system lifecycle, including conformity assessments, record-keeping, and technical documentation for high-risk systems.

  • Integration with Data Governance Frameworks

The Act complements existing EU legislation including GDPR, the EU Data Governance Act, and the EU Data Act, which facilitate data re-use, sharing, and pooling. UK businesses must navigate both AI-specific regulations and broader data protection standards.

  • Transparency Requirements

Systems must meet transparency and disclosure obligations, including providing instructions for use and informing users about AI interactions.


Compliance Challenges for UK Companies


UK companies operating in both jurisdictions face potential regulatory overlap and must adhere to both the EU's centralised framework and the UK's sector-specific approach. This creates increased complexity, particularly in sectors with existing EU regulatory requirements that may not align with UK regulations.

The broad requirements in the EU Act, such as demonstrating compliance with "general engineering or scientific knowledge," create ambiguity that businesses must navigate while ensuring adherence to essential requirements.

High-risk AI systems must comply with stringent obligations including risk assessments, documentation, human oversight, and conformity assessments. The complexity of AI systems and supply chains may not align with existing liability regimes, requiring businesses to assess governance practices and implement appropriate risk management measures.


Global Implications

The EU AI Act influences international AI governance standards through initiatives like the EU-US Trade and Technology Council, developing codes of conduct and regulatory frameworks with global reach. UK companies operating internationally must consider both direct implications and the Act's influence on global regulatory trends.

Conclusion

UK companies must navigate a complex regulatory landscape involving the EU AI Act's risk-based requirements alongside the UK's sector-specific approach. Compliance with stringent obligations for high-risk AI systems, data governance frameworks, and evolving liability considerations is essential. Companies should monitor developments in both EU and UK AI regulatory frameworks to ensure effective legal operation while maintaining market access in an evolving regulatory environment.

Don't wait for the breach: Let's build your defences together. Get in touch today for a consultation.

Sade Rotibi
Next

Securing Digital Frontiers: Legal Tactics for Cybersecurity